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(54) Scheme, system and equipment for Inter-equipment authentication and key delh/ery 



(57) An inter-equipment authentication and key 
delivery scheme, system, and equipment is provided 
which is capable of making authentication of an IC card 
ID signature, by comparison of a decrypted ICCID with 
another ICCID reproduced by dividing transmitted data. 
The inter-equipment authentication and key delivery 
scheme, system, and equipment can be used, for exam- 
ple, when an automobile passes by roadside equipment 
at a tolibooth. and the roadside equipment transmits a 
random digit (RND) generated therein as challenge 
data to an IC card via onboard equipment, and the IC 



card transmits back to the roadside equipment the ran- 
dom digit after encrypting^it with a secret key Kicc. The 
IC card also transmits its ID (ICCID) and a certificate of 
individual IC card key CERT-Kicc together with the ran- 
dom digit. The roadside equipment divides the transmit- 
ted data into a response data E(Kicc. RND). the ICCID, 
and the certificate of individual IC card key CERT-Kicc. 
The roadside equipment 130 reproduces the Kicc and 
the ICCID by decrypting (DEC) the certificate of individ- 
ual IC card key CERT-Kicc using a valklation key PC. 
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E)escription 

FIELD OF THE INVENTION 

[0001] The present invention relates to a scheme, . 
system, and equipment for inter-equipment authentica- 
tion and key delivery, for example an equipment authen- 
tication and cryptographic communications system for 
making mutual authentication of legitimacy with each 
other among any of great many user-end equipment 
provided with an IC card and system-end equipment, 
and transmitting and receiving data In secrecy from 
other than the two communicating equipment Further, 
as another example the present invention relates to an 
automated electronic toll collection and authentication 
system and a method of authentication which is so 
devised that roadside equipment and central process- 
ing equipment are capable of making a direct authenti- 
cation for the legitimacy of an IC card. 

BACKGROUND OF THE INVENTION 

[0002] In the case of transmitting a valuable data to 
an opposite party, it is generally necessary to authenti- 
cate that equipment of the communicating party is legit- 
imate. It is also necessary that the data on a 
conmunicattons path is kept secret from a third party, 
and protected from tampering or wrongful alteration on 
the communications path. An automated electronic toll 
collection (i.e.. an electronic toll collection, which will be 
hereinafter refenred to as "ETC") system on a highway 
using wireless communications is a typical example that 
requires such feature of communications security. 
[0003] The system executes a toll collection for a 
highway by means of communications between 
onboard equipment installed in an autonrtoblle and road- 
side equipment provided at a gate of a tolibooth. In this 
Instance, the onboard equipment and the roadside 
equipment respectively imply user-end equipment and 
system-end equipment. The onboard equipment is pro- 
vided with a removable IC card. The IC card has a func- 
tion of prepaid card, and it is imprinted with information 
of a cash balance beginning with a given amount (e.g. 
10,000 yen). 

[0004] At a gate of a highway entrance (hereinafter 
referred to as "entrance gate"), the onboard equipment 
transmits information of an ID number of the onboard 
equipment to the roadside equipment, and the roadside 
equipment transmits to the onboard equipment informa- 
tion of an entry (such as a gate number and time of the 
entry), which is recorded in the IC card. 
[0005] At a gate of a highway exit (hereinafter 
refen-ed to as "exit gate"), on the other hand, the 
onboard equipment transmits the entry information and 
cash balance information to another roadside equip- 
ment, so that the roadskie equipment computes a tdl 
charge of the highway according to the entry informa- 
tion. The roadside equipment revises the cash balance 



by subtracting the toll charge from the previous cash 
balance, and transmits the balance information to the 
onboard equipment. The roadside equipment makes a 
transaction for unsealed payment, if the cash balance is 

5 short of the toll charge. 

[0006] Settlement for the toll charge of highway with 
wireless communications in the foregoing manner Is 
intended to reduce traffic congestion at entrance and 
exit gates. It is antrcipated that there are several millions 

10 of onboard equipment, and several thousands of road- 
side equipment in one system. 
[0007] In order for the system to operate success- 
fully, the following security problems must be cleared, in 
addition to achieving infallible high-speed wireless com- 

15 munications. 

[0008] First, the roadside equipment must authenti- 
cate that individual onboard equipment is legitimate. It 
must make an immediate determination of forgery for 
any communications made with counterfeit onboard 

20 equipment or a forged IC card, so as to take a counter- 
measure such as closing the gate or recording a vehicle 
license number. On the other hand, it is also necessary 
for the onboard equipment to authenticate that the road- 
side equipment Is legitimate. Even if someone has 

25 attempted to obtain an economical gain by making a 
communications to the ortooard equipment with coun- 
terfeit roadside equipment, and rewriting information in 
an IC card with a toll charge for a shorter section than 
what it should be, the onboard equipment must be so 

30 designed that such attempt shall fail . 

[0009] Further, the system shall be such that com- 
munications between the onboard equipment and the 
roadside equipment Is not intercepted by a third party, 
and contents of it are protected from being used fraudu- 

35 lently 

[0010] The required conditions as described above 
can be satisfied with an addition of such features gener- 
ally known as authentication function and cryptographic 
function to the wireless communications. As one way of 

40 realizing the foregoing functions, the onboard equip- 
ment and the roadside equipment need to share a 
secret key cryptographic algorithm and certain secret 
infomiation. The secret information is generally called a 
cryptographic key or a deayption key 

45 [0011] It is important to note that there is a quite 
large number of onboard equipment used in this sys- 
tem. A consideration is given now for a case that secret 
information of onboard equipment "X" is identical to 
secret information of onboard equipment "Y". If there is 

50 counterfeit onboard equipment "X' which is made by 
analyzing a content of the onboard equipment "X", tiie 
system is able to prevent an unlawful use of the onboard 
equipment "X* " by utilizing a negative list for excluding 
such unlawful use of the equipment "X' However, the 

55 negative list also excludes a proper use of the legitimate 
onboard equipment *y" at the same time. For this rea- 
son, the seaet Information for individual onboard equip- 
ment needs to be different from one another. 
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[0012] In this case, the matter of how the roadside 
equipment obtains the secret information of individual 
onboard equipment is important. One of the methods is 
to store information consisting of an ID and secret infor- 
mation for every one of the onboard equipment, in the s 
roadside equipment. However, this method creates a 
big burden when renewing contents stored in several 
thousands of the roadside equipment employed in the 
system. It also has a weakness in security that the 
secret information for all of the onboard equipment is w 
disclosed, if any one of the roadside equipment is ana- 
lyzed. 

[001 3] As described, the prior art system for equip- 
ment authentication and cryptographic communica- 
tions, if used for realizing the system security, has a is 
problem that a wrongful analysis of system-end equip- 
ment causes a detrimental effect to all of the user-end 
equipment. 

[0014] In addition, the ETC authentication system 
of the prior art, due to a restriction in the system, makes 20 
a two-step authentication, in which the roadside equip- 
ment verifies the onboard equipment, and the onkx>ard 
equipment verifies the IC card. That is, the system can 
make only an indirect authentication of the IC card. 
[001 5] A method of the foregoing authentication will 25 
be desaibed further by referring to Fig. 5 and Fig. 6, 
Fig. 5 depicts an operation of mutual authentication 
between an (C card and onboard equipment. 
[0016] In Fig. 5: 

30 

(1) An IC card ICC 41 transmits to onboard equip- 
ment, or OBE, 42. a certificate of verified IC card 
key CERT-PICP issued by an ETCS key center and 
a certificate of individual IC card key CERT-KICC 
given by an IC card issue center. At the same time, 35 
the IC card 41 also transmits to the onkx)ard equip- 
ment 42 a random digit R2 generated therein as a 
challenge data for it to make an authentication of 
the onboard equipment: 

40 

(2) The onboard equipment 42 produces a valida- 
tion key PICP issued by the IC card issue center 
from the certificate of verified IC card key CERT- 
PICP by means of restorable-type signature 
authentication. Rverify (Pel. CERT-PICP) using a 45 
validation key Pel provided by the ETCS key 
center: 

(3) The onboard equipment 42 produces an individ- 
ual IC card key KICC from the certificate of Individ- so 
ual IC card key CERT-KICC by means of restorable- 
type signature authentication. Rverify (PICC. 
CERT-KICC) using the PICP: 

(4) The onboard equipment 42 generates a session ss 
--" toy KsJ and returns it to the IC card 41. after 

encrypting it with the individual IC card key KICC 
produced in the above step, i.e., after making a 



process of E(KICC, Ksl). In addition, the onboard 
equipment 42 generates a random digit R1, 
encrypts R1 R2. and returns the encrypted result, 
or E(Ks1 , R1 R2) to the IC card 41 as a response to 
the random digit R2. The IC card 41 compares a 
decrypted result of it with the originally generated 
random digit R2 to determine if they match in order 
to authenticate that the onboard equipment 42 is 
legitimate, and continues a subsequent transactbn. 
The IC card 41 discontinues the transaction if they 
do not match: 

(5) The onboard equipment 42 encrypts the ran- 
dom digit R1 generated therein with the received 
random digit R2 using the key Ks1. and transmits a 
result E(Ks1 , R1 R2) as a challenge to the IC card 
41 . The IC card 41 decrypts it to produce the ran- 
dom digit R1 . encrypts it with a session key Ks2, i.e. 
a transaction for E(Ks1. R1 Ks2). and returns it to 
the onboard equipment 42 as a response: and 

(6) The onboard equipment 42 decrypts the 
encrypted random digit by the session key Ksl, 
compares the result with the originally generated 
random digit R1, and continues a subsequent 
transaction, if they match so that the IC card 41 is 
verified as being legitimate. The onboard equip- 
ment 42 discontinues the transaction if they do not 
match, 

[0017] As described, an execution of the above 
authentication protocol can attain the mutual authenti- 
cation between the IC card 41 and the onboard equip- 
ment 42, as a first step. As a second step, a mutual 
authentication between the onboard equipment and the 
roadside equipment will be described. 
[0018] Fig. 6 depicts an operation of the mutual 
authentication between the onboard equipment and the 
roadside equipment. 
[0019] In Fig. 6: 

(1) Onboard equipment, or OBE, 51 encrypts a ran- 
dom digit K using an indivklual key KOBE, and 
sends the encrypted data E(KOBE. K) and a certif- 
icate of individual onboard equipment key CERT- 
KOBE to the roadside equipment, or RSE. 52: 

(2) The roadside equipment 52 produces OBEID 
KOBE from the certificate of individual onboard 
equipment key CERT-KOBE with a signature 
authentication key Pc2 of the ETCS key center, by 
the following formula: 

X = c1P + c2Q = OBEID KOBE 

(3) The onboard equipmerit 51 sends a challenge 
data K generated therein to the roadside equipment 
52, and authenticates the roadside equipment 52 
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by confirming that the roadside equipment 52 can 
properly decrypt it using the individual key KOBE; 
and 

(4) The roadside equipment 52 encrypts the chal- 5 
lenge data R2 generated therein with the individual 
key KOBE, i.e. a transaction for E(KOBE, K R2), 
and authenticates the onboard equipment 51 by 
confirming that the onboard equipment 51 can 
decrypt it. w 

[0020] As has been described, the ETC authentica- 
tion system of the prior art makes a two-step authenti- 
cation, in which the roadside equipment authenticates 
the onboard equipment, and the onboard equipment is 
authenticates the IC card, so that the roadside equip- 
ment can make only an indirect authentication of the 10 
card. Accordingly, the prior art system has a problem of 
not being capable of directly exchanging data between 
the 10 card and the roadside equipment, when the 20 
onboard equipment passes under the roadside equip- 
ment. It also has another problem that the system is not 
escapable from becoming complicated and costly 
because of the two-step authentication. 
[0021] The present invention is therefore intended 25 
to provide an ETO authentication system and a method 
of the authentication, in which roadside equipment and 
central processing equipment are capable of making a 
direct authentication for legitimacy of an 10 card. 

30 

SUtVIAflARY OF THE INVENTION 

[0022] A scheme, system, and equipment for inter- 
equipment authentication and key delivery of the 
present invention is an equipment authentication and 35 
cryptographic communications system, which includes 
user-end equipment, an "m" number of system-end 
equipment, and a key center for administrating legiti- 
macy of all of the equipment. Each of an "n" number of 
the user-end equipment has individual user-end equip- 4o 
ment's information issued by the key center, and individ- 
ual user-end equipment's secret information 
corresponding to the individual user-end equipment's 
information. The user-end equipment transmits the indi- 
vidual user-end equipment's informatfon to the system- 4s 
end equipment. The system-end equipment receives 
the individual user-end equipment's information from 
the user-end equipment, and reproduces the individual 
user-end equipment's secret information from the 
received individual user-end equipment's information, so 
The system-end equipment makes an authentication of 
legitimacy of the user-end equipment by confirming that 
the user-end equipment has^the individual user-end 
equipment's secret information by means of a challenge 
response utilizing a common key cryptographic algo- ss 
rithm. The user-end equipment and the system-end 
equipment then make a ayptographic communications 
using the individual user-end equipment's secret infor- 



mation shared mutually between them. 
[0023] The foregoing structure allows the system- 
end equipment to share the individual user-end equip- 
ment's secret information for each of the user-end 
equipment without storing it in a form of database, and 
enables the system-end equipment to make an authen- 
tication of legitimacy of the user-end equipment as well 
as a cryptographic communications. 
[0024] In the scheme, system, and equipment for 
inter-equipment authentication and key delivery of the 
present invention, the system-end equipment has same 
system-end equipment's secret information as the one 
possessed by the key center, and produces individual 
user-end equipment's secret information from the indi- 
vidual user-end equipment's information using the sys- 
tem-end equipment's secret information. The user-end 
equipment makes an authentication of legitimacy of the 
system-end equipment by confirming that the system- 
end equipment has the individual user-end equipment's 
secret information byway of a challenge response utiliz- 
ing the common key cryptographic algorithm. 
[0025] The above-described structure allows the 
system-end equipment and the individual user-end 
equipment to share the individual user-end equipment's 
secret information, and enables the user-end equip- 
ment to make an authentication of legitimacy of the sys- 
tem-end equipment as well as a ayptographic 
communications. 

[0026] In the scheme, system, and equipment for 
inter-equipment authentication and key delivery of the 
present invention, the system-end equipment is also 
provided with a secret key cryptographic algorithm and 
means for reproducing the individual user-end equip- 
ment's secret information by making a system-conver- 
sion of the individual user-end equipment's information 
using a secret key. 

[0027] The above-described structure allows the 
system-end equipment to share the individual user-end 
equipment's secret information for each of the user-end 
equipment without storing it in a form of database, to 
make an authentication of legitimacy of the user-end 
equipment using the mutually shared individual user- 
end equipment's secret information, and to make a 
cryptographic communications. 
[0028] In the scheme, system, and equipment for 
inter-equipment authentication and key delivery of the 
present invention, the system-end equipment and the 
user-end equipment are both provided with means for 
making a cryptographic communications using Informa- 
tion shared nnutually between them by exchanging 
secret information that they possess individually. 
[0029] The above-described structure allows the 
system-end equipment to share the individual user-end 
equipment's secret information for each of the user-end 
equipment without storing it in a form of database. Also, 
even if either the system-end equipment or the gser-end 
equipment is analyzed, the cryptographic communica- 
tions can not be intercepted only with information dis- 
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closed by the analysis. 

[0030] In the scheme, system, and equipment for 
inter equipment authentication and key delivery of the 
present invention, the system-end equipment and the 
user-end equipment are both provided with means for s 
making a cryptographic communications by way of 
exchanging seaet information that they possess indi- 
vidually, and generating new secret information for the 
cryptographic communications by combining their own 
secret information with the exchanged information 10 
according to a prearranged procedure. 
[0031] With the above-described structure, even if 
either the system-end equipment or the user-end equip- 
ment is analyzed, the cryptographic communications 
can not be interpreted only with information disclosed is 
by the analysis. 

[0032] In the scheme, system, and equipment for 
inter-equipment authentication and key delivery of the 
present invention, the system-end equipment and the 
user-end equipment are both provided with means for: 20 
(a) generating secret information by encrypting the new 
secret information, which has been exchanged and 
combined in the above-cited step, with the individual 
user-end equipment's secret information: and (b) mak- 
ing a cryptographic communications using the secret 25 
information. 

[0033] With the above-described structure, even if 
communications is interested in both ways between 
the system-end equipment and the user-end equip- 
ment, the cryptographic communications can not be 30 
interpreted only with information disclosed by the inter- 
ception. 

[0034] In the scheme, system, and equipment for 
inter-equipment authentication and key delivery of the 
present invention, the system-end equipment and the 35 
user-end equipment are both provided with means for 
(a) generating their respective random digits individu- 
ally; (b) exchanging the Information with each other as 
separate secret information; and (c) having a crypto- 
graphic communications. 40 
[0035] With the above-described structure, even if 
the individual user-end equipment's secret information 
is disclosed as a result of interception of the communi- 
cations in both ways between the system-end equip- 
ment and the user-end equipment, the subsequent 4S 
cryptographic communicatfons will not carry the same 
risk of interception. 

[0036] In the scheme, system, and equipment for 
inter-equipment authentication and key delivery of the 
present Invention, the system-end equipment and the so 
user-end equipment are both provid«i with means for: 
(a) generating their respective random digits individu- 
ally: (b) combining own information peculiar to each of 
the system-end equipment and the user-end equipment 
with the random digits according to a predetermined ss 
procedure; (c) generating secret information by encrypt- 
ing the combined information with the individual user- 
end equipment's secret information; (d) exchanging the 
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encrypted information with each other as separate indi- 
vidual secret information; (e) decrypting the combined 
information by using the individual user-end equip- 
ment's secret information shared mutually between 
them in the foregoing step; (f) breaking the combination 
according to a predetermined procedure; (g) mutually 
sharing the random digits exchanged with each other 
between the system-end equipment and the user-end 
equipment as individual secret information in the same 
manner as the random digits they generated indivkiu- 
ally; and (h) making a cryptographic communication. 
[0037] With the foregoing structure, even if the com- 
munication is wrongfully intercepted in both ways 
between the system-end equipment and the user-end 
equipment and a replay attack is attempted, the crypto- 
graphic communication carries no risk of getting the 
content interpreted. 

[0038] In the scheme, system, and equipment for 
inter-equipment authentication and key delivery of the 
present invention, the system-end equipment and the 
user-end equipment are both provided with means for: 
(a) generating their respective random digits individu- 
ally; (b) exchanging the random digits with each other; 
(c) again generating new random digits individually and 
independently from each other; (d) combining these 
new random digits with the other random digits accord- 
ing to a predetermined procedure; (e) generating secret 
information by encrypting the combined information 
using the individual user-end equipment's secret infor- 
mation; and (f) making a cryptographic communication 
using the foregoing information as individual secret 
information. 

[0039] With the above structure, even if the commu- 
nication is intercepted in both ways between the sys- 
tem-end equipment and the user-end equipment, a 
replay attack is attempted, and the individual user-end 
equipment's secret information is disclosed, the crypto- 
graphic communication still carries no risk of getting the 
content interpreted. 

[0040] Further, the scheme, system, and equip- 
ment for inter-equlpment authentication and key deliv- 
ery of the present invention includes (i) an IC card, 
which includes: an encryption means for receiving via 
on-board equipment a challenge data generated by 
roadside equipment, as the IC card passed by the road- 
side equipment, and encrypting the received data with a 
legitimate secret key; a data storage means for storing 
data encrypted by the encryption means; and a 
response data transmission means for transmitting 
each individual data of an IC card ID and a certificate of 
individual IC card key originally assigned to the IC card, 
together with the encrypted data stored in the data stor- 
age means as a response data to the roadside equip- 
ment via the on-boand equipment, (ii) the roadside 
equipment, which includes: a dividing means for divid- 
ing the transmitted response data into three sections; a 
decryption nneans for decrypting data of the certificate 
of individual IC card key data divided by the dividing 
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means, using a validation key: a matching determina- 
tion means for making a matching determination of the 
IC card ID produced as a result of the decryption with 
another IC card ID obtained by the dividing means; and 
a challenge data transmission means for transmitting 
the challenge data to the tC card, and (iii) central 
processing equipment, which includes: a challenge data 
storage means for storing the challenge data generate 
by the roadside equipment; and a matching determina- 
tion means for receiving the response data decrypted 
by the roadside equipment, and carrying out a matching 
determination of the received response data with the 
challenge data stored in the challenge data storage 
means. 

[0041] As described, the scheme, system, and 
equipment for inter-equipment authentication and key 
delivery is characterized by making a direct authentica- 
tion of the IC card ID by means of the roadside equip- 
ment, which authenticates signature information 
received at the same time with the IC card ID, and the 
central processing equipment, which makes a matching 
determination of the response data encrypted in the IC 
card and decrypted in the roadside equipment. 
[0042] Accordingly, the present irrventlon enables 
the system to make a direct authentication of the IC 
card ID because of the foregoing structure, in which the 
roadside equipment authenticates signature information 
received at the same time with the IC card ID, and the 
central processing equipment makes the matching 
determination of the response data encrypted in the IC 
card and decrypted in the roadside equipment. 
[0043] Furthermore, the scheme, system, and 
equipment for interequipment authentication and key 
delivery of the present invention Includes the steps of: 
(a) encrypting a challenge data, which is generated by 
roadside equipment at a time when an IC card passes 
by the roadside equipment and transmitted to the IC 
card via on-board equipment, in the IC card using a 
legitimate secret key; (b) storing the encrypted data; (c) 
transmitting each individual data of an IC card ID and a 
certificate of individual IC card key in addition to the 
stored data, as a response data to the roadside equip- 
ment via the on-board equipment; (d) dividing the trans- 
mitted response data into three sections in the roadside 
equipment; (e) decrypting the divided data of the certif- 
icate of individual IC card key using a validation key; (f) 
carrying out a matching determination of the IC card JD 
produced as a result of the decryption with another IC 
card ID obtained from the dividing step; and (g) carrying 
out a matching determination of the response data 
decrypted by the roadside equipment, in the central 
processing equipment. 

[0044] As described, tiie present invention is a 
method of ETC authentication characterized by making 
a direct authentication of the IC card ID by means of the 
roadside equipment, which authenticates signature 
Infomiation received at the same time with the IC card 
ID, and the central processing equipment, which makes 



a matching determination of the response data 
encrypted in tiie IC card and decrypted in the roadside 
equipment. Accordingly, the above method is capable of 
making a direct authentication of tiie IC card ID, since 

5 the roadside equipment executes tiie authentication of 
signature information received at the same time witii tiie 
~ - IC card ID, and the central processing equipment 
makes the matching determination of tiie response data 
encrypted in tiie IC card and decrypted in the roadside 

10 equipment. 

[0045] Moreover, the scheme, system, and equip- 
ment for inter-equipment authentication and key deliv- 
ery of the present invention includes (i) a first roadside 
equipment, whrch includes a challenge data and time 

15 generator / storage means for generating and storing a 
challenge data and a time of day. and transmitting the 
data to an IC card via on-board equipment, (ii) the IC 
card, which includes: an ID transmission means for 
transmitting an IC card ID immediately before the IC 

20 card passes by the first roadside equipment; an encryp- 
tion means for receiving via the on-board equipment tiie 
challenge data and the time of day generated by the first 
roadside equipment, as the IC card passed by the first 
roadside equipment, and encrypting the received data 

25 with a legitimate secret key; and a response data trans- 
mission means for transmitting each individual data of 
the IC card ID and a certificate of individual IC card key 
originally assigned to the IC card, together with the 
encrypted data as a response data to second roadside 

30 equipment via the on-board equipment, (ili) the second 
roadside equipment, which includes: a first dividing 
means for dividing the response data into three sec- 
tions; a decryption means for decrypting data of the cer- 
tificate of Individual IC card key divided by the first 

35 dividing means, using a validation key; and a matching 
determination means for carrying out a matching deter- 
mination of tiie iC card ID produced as a result of the 
decryption with another IC card ID obtained by tiie 
dividing means, and (iv) central processing equipment. 

40 which includes: a second dividing means for dividing the 
challenge data generated by \he first roadside equip- 
ment and tiie IC card ID; a third dividing means for divid- 
ing the response data and the IC card ID decrypted in 
the second roadside equipment; and a matching deter- 

46 mination means for making a matching determination of 
the challenge data obtained by the second dividing 
means and the response data obtained by the tiiird 
dividing means. 

[0046] As described, the foregoing structure of this 
50 invention constitutes an ETC authentication system 
characterized by making a direct authenticatron of tiie 
IC card ID by means of the second roadside equipment, 
which executes an authentication of signature informa- 
tion received at tiie same time with the IC card ID, and 
55 the central processing equipment which makes a 
matching determinatbn^ the response data encrypted 
in the IC card and decrypted In the second roadside 
equipment. Accordingly the invention enables tiie ETC 
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authentication system to make a direct authentication of 
the IC card 10, because the roadside equipment exe- 
cutes the authentication of signature information 
received at the same time with the IC card ID. and the 
central processing equipment makes the matching 
determination of the response data encrypted in the IC 
card and decrypted in the roadside equipment. 
[0047] Also, the ETC authentication system repre- 
senting the scheme, system, and equipment for inter- 
equipment authentication and key delivery of the 
present invention further includes, in addition to the 
above-described structure of the second roadside 
equipment, another decryption means for decrypting 
the encrypted data produced by ttie dividing means, 
using a secret key for the individual IC card reproduced 
by the decryption means, and a validation means for 
obtaining the time information, at which the IC card has 
passed by the first roadside equipment, from the 
decrypted result of the decryption means, and for con- 
firming whether or not a difference between the time 
information and the present time of day is within a pre- 
determined time period. As a result, the ETC authenti- 
cation system is able to determine whether the time 
taken for passing through between the two of roadside 
equipment is legitimate or not, and to place the IC card 
ID in a negative list if it determines the passage as ille- 
gitimate. 

[0048] Furthermore, the scheme, system, and 
equipment for inter-equipment authentication and key 
delivery of the present invention includes the steps of: 
~~(a) receiving a card ID from an IC card via on-board 
equipment immediately before the IC card passes by 
first roadside equipment; (b) transmitting via on-board 
equipment to the 10 card a challenge data and a time of 
day generated by the first roadside equipment, as the IC 
card passed by the first roadside equipment, and 
encrypting the data with a legitimate secret key in the IC 
card; (c) transmitting each individual data of the IC card 
ID and a certificate of individual IC card key. in addition 
to the encrypted data, as a response data to second 
roadside equipment via the on-board equipment; (d) 
dividing the received response data into three sections 
in the second roadside equipment; (e) decrypting the 
divided data of the certificate of individual IC card key 
using a valklation key; (f) carrying out a matching deter- 
mination of the IC card ID produced as a result of the 
„ decryption with another IC card ID obtained in the divid- 
ing step; and (g) executing In central processing equip- 
ment a matching determination of the challenge data 
obtained in the first roadside equipment and the 
response data decrypted in the second roadside equip- 
ment. 

[0049] As described, the foregoing steps of this 
invention constitute an ETC authentication method 
characterized by making a direct authentication of the 
IC card ID through the process^of : executing an authen- 
tication of signature information received at the same 
time with the IC card ID in the second roadside equip- 



ment; and making a matching determination of the 
response data encrypted in the IC card and decrypted 
in the second roadside equipment, in the central 
processing equipment. Accordingly, the above method 

5 of the invention enables the ETC authentication system 
to make a direct authentication of the IC card ID. 
because the roadside equipment executes the authenti- 
cation of signature information received at the same 
time with the IC card ID, and the central processing 

10 equipment makes the matching determination of the 
challenge data encrypted in the IC card and decrypted 
in the roafdside equipment. 

[0050] Also, the scheme, system, and equipment 
for inter-equipment authentication and key delivery of 

15 the present invention provides an ETC authentication 
method, which further includes, in addition to the above- 
described method, a step of: decrypting the encrypted 
data produced by the dividing step using a secret key for 
the individual IC card reproduced in the decryption step. 

20 and a step of obtaining the time information, at which 
the IC card has passed by the first roadside equipment, 
from the result of the decryption step, and confirming 
whether or not a difference between the time informa- 
tion and the present time of day is within a predeter- 

25 mined time. Accordingly, the foregoing method enables 
the ETC authentication system to make a determination 
as to whether the time taken for the passage is legiti- 
mate or not. and to place the IC card ID in a negative list 
if it determines the passage is illegitimate. 

30 [0051] The scheme, system, and equipment for 
Inter-equipment authentication and key delivery of the 
present invention includes (i) a first roadside equipment, 
which includes a challenge data generation means for 
generating a challenge data, and transmitting the data 

35 to an IC card via on-board equipment, (ii) the IC card, 
which includes: an ID transmission means for transmit- 
ting an IC card ID immediately before the IC card 
passes by the first roadside equipment; an encryption 
means for receiving via the on-board equipment the 

40 challenge data generated by the first roadside equip- 
ment, as the IC card passed by the first roadside equip- 
ment, and encrypting the data with a legitimate secret 
key; and a response data transmission means for trans- 
mitting each individual data of the IC card ID originally 

45 assigned to the IC card and a certificate of individual IC 
card key, together with the encrypted data as a 
response data to secorxi roadside equipment via the 
on-board equipment, (ii>) the second roadskJe equip- 
ment, which includes: a first dividing means for dividing 

50 the response data into three sections: a decryption 
means for decrypting data of the certificate of individual 
IC card key divided by the first dividing means, using a 
validation key; and a matching determination means for 
carrying out a matching determination of the IC card ID 

55 produced as a result of the decryption with another IC 
card ID obtained by the dividing means, and (iv) central 
processing equipment, which includes: a second divid- 
ing means for dividing the challenge data generated by 
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the first roadside equipment and the iC card ID; a third 
dividing means for dividing the response data decrypted 
in the second roadside equipment and the IC card ID; 
and a matching determination means for making a 
matching determination of the challenge data obtained 5 
by the second dividing means and the response data 
obtained by the third dividing means. 
[0052] As described, the foregoing structure of this 
invention constitutes an ETC authentication system 
characterized by making a direct authentication of the 10 
tC card ID by means of the second roadside equipment, 
which executes an authentication of signature informa- 
tion received at the same time with the IC card ID. and 
the central processing equipment, which makes a 
matching determination of the response data encrypted is 
In the IC card and decrypted in the second roadside 
equipment. Accordingly, the invention enables the ETC 
authentication system to make a direct authentication of 
the iC card ID. because the roadside equipment exe- 
cutes the authentication of signature information 20 
received at the same time with the IC card ID, and the 
central processing equipment makes the matching 
determination of the response data encrypted in the IC 
card and decrypted In the roadside equipment. 
[0053] Also, the scheme, system, and a:;uipment 25 
for Inter-equlpment authentication and key delivery of 
the present invention includes the steps of: (a) receiving 
a card ID from an IC card via on-board equipment 
Immediately before the IC card passes by first roadside 
equipment; (b) transmitting via on-t)oard equipment to 30 
the IC card a challenge data generated by the first road- 
side equipment as the IC card passed by the first road- 
side equipment, and encrypting the data with a 
legitimate secret key; (c) transmitting each Individual 
data of the IC card ID and a certificate of individual IC 35 
card key. in addition to the encrypted data, as a 
response data to second roadside equipment via the 
on-board equipment; (d) dividing the received response 
data into three sections in the second roadside equip- 
ment; (e) decrypting the divided data of the certificate of 40 
Individual IC card key using a validation key; (f) carrying 
out a matching determination of the IC card ID pro- 
duced as a result of the decryption with another IC card 
ID obtained by the dividing step; and (g) executing in 
central processing equipment a matching determination 45 
of the challenge data obtained in the first roadside 
equipment with the response data decrypted In the sec- 
ond roadside equipment. 

[0054] As described, the foregoing steps of this 
invention constitute an ETC authentication method so 
characterized by making a direct authentication of the 
IC card ID through the process of: executing an authen- 
tication of signature information received at the same 
time with the IC card ID, In the second roadside equip- 
ment; and making a matching determination of the 55 
response data encrypted In the IC card and decrypted 
In the second roadside equipment, in the central 
processing equipment. Accordingly, the above method 



of the invention enables the ETC authentication system 
to make a direct authentication of the IC card ID. 
because the roadside equipment executes the authenti- 
cation of signature information received at the same 
time with the IC card ID, and the central processing 
equipment makes the matching determination of the 
response data encrypted in the IC card and decrypted 
In the roadside equipment. 

BRIEF DESCRIPTION OP THE DRAWINGS 
[0055] 

Rg. 1 is a block diagram depicting an overall struc- 
ture of an equipment authentication and crypto- 
graphic communications system of a first 
exemplary embodiment of the present invention; 

Rg. 2 is a block diagram depicting an ETC authen- 
tication system of a second exemplary embodiment 
of the present invention; 

Fig. 3 is a block diagram depicting an ETC authen- 
tication system of a third exemplary embodiment of 
the present invention; 

Fig. 4 is a block diagram depicting an ETC authen- 
tication system of a fourth exemplary embodiment 
of the present Invention; 

Fig. 5 is a diagram depicting an operation of mutual 
authentication between an IC card and onboard 
equipment, which constitute a part of an ETC 
authentication system of the prior art; and 

Rg. 6 is a diagram depicting an operation of mutual 
authentication between onboard equipment and 
roadside equipment, which constitute a part of the 
ETC autiientication system of the prior art. 

DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

First exemplary embodiment 

[0056] A scheme, system, ard equipment for Inter- 
equlpment authentication and key delivery of a first 
exemplary embodiment of the present invention will be 
described by referring to Fig. 1. 
[0057] Witii reference to Fig. 1. the present system 
and equipment Include user-end equipment 1, system- 
end equipment 2. and a key center 3 for administrating 
legitimacy of all of the equipment, in this exemplary 
embodiment, the user-end equipment 1 and tiie sys- 
tem-end equipment 2 respectively imply onboard equip- 
ment and roadside equipment, in particular, in an 
electronic toil collection system ("ETC system"). 
[0058] The key center 3 is an administration center 
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for controlling an entire system, and it carries out a data 
communications with the user-end equipment 1 through 
a communications path 5. The user-end equipment 1 
carries out a data communications with the system-end 
equipment 2 through a public communications path 4. 5 
The public communications path 4 implies that it carries 
a risk of being tapped and the tampering by a mala fide 
third party. 

[0059] On the other hand, the communications path 
5 for coupling between the key center 3 and the user- 10 
end equipment 1 or the system-end equipment 2 is a 
private communications path for communicating data. 
The private communications path 5 implies that data 
can not be intercepted and tampered even by a mala 
fide third party 15 
[OOSO] The user-end equipment 1 contains individ- 
ual user-end equipment's secret information 6. A first 
object of this exemplary embodiment is for the system- 
end equipment 2 to share the individual user-end equip- 
ment's secret information 6 by producing it from Individ- 20 
ual user-end equipment's information 10. which is 
transmitted through the publte communications path 4. 
[0081] After the first object is clears, a second 
object Is for the system-end equipment 2 to make 
authentication and cryptographic communications 25 
through the public communications path 4 using the 
individual user-end equipment's secret information 6. 
[0082] On the other hand, the key center 3 has an 
individual user-end equipment's Information 7. A sys- 
tem converter 8 in the key center 3 creates individual 30 
user-end equipment's secret Information 9 by making a 
system-conversion of the Individual user-end equip- 
ment's information 7. 

[0083] The user-end equipment 1 receives the indi- 
vidual user-end equipment's secret information 9 and 35 
the individual user-end equipment's Information 7 from 
the key center 3 via the private communications path 5, 
and keeps them as the individual user-end equipment's 
secret information 6 and the individual user-end equip- 
ment's information 10. 40 
[0084] The system-end equipment 2 is provided 
with a system converter 12, which is equivalent to the 
system converter 8 of the key center 3, In other words, 
the system-end equipment 2 has the same secret infor- 
mation as the one possessed by the key center 3. The 45 
system converter 12 in the system-end equipment 2 
converts the individual user-end equipment's informa- 
tion 10 transmitted from the user-end equipment 1 via 
the piMc communications path 4 in the corresponding 
manner as the system converter 8. With this conversion, so 
the system-end equipment 2 is able to reproduce indi- 
vidual user-end equipment's secret information 13, 
which contains an identical data as that of the individual 
user-end ^uipment's secret information 6. The data 
reproduced by the above conversion is stored in the ss 
system-end equipment 2 as the individual user-end 
equipment's secret information 13. The foregoing proc- 
ess makes the user-end equipment 1 and the system- 



end equipment 2 to share the individual user-end equip- 
ment's secret information 6. and thereby clearing the 
first object. 

[0065] Moreover, the user-end equipment 1 is pro- 
vided with an encryption unit 14 and a decryption unit 
15 having a common key cryptographic algorithm. A 
random digit generator 20 generates a random digit 20. 
Likewise, another random digit generator 25 generates 
a random digit 25. A combiner 24 has a function of com- 
bining two random digit data by assembling them in a 
predetermined procedure. On the contrary a divider 21 
has a function of reproducing the original random digits 
by breaking the combination and dividing the assem- 
bled random digits. 

[0066] The system-end equipment 2 is provided 
with an encryption unit 16 and a decryption unit 17 hav- 
ing the same common key cryptographic algorithm as 
the user-end equipment 1. A random digit generator 18 
generates the random digit 18. Likewise, another ran- 
dom digit generator 26 generates a random digit 26. A 
combiner 23 has a function of combining two random 
digit data input therein by assembling them according to 
a predetermined procedure. On the contrary, a divider 
22 has a function of breaking the combination and divid- 
ing the assembled and combing random digits. 
[0067] Next, a concrete operation of the system of 
this exemplary embodiment will be described by sepa- 
rating it into three phases, which are: (A) Individual 
user-end infamation delivery phase; (B) authentication 
and key-sharing phase; and (C) cryptographic commu- 
nications phase. 

(A) Individual user-end information delivery phase 
[0068] 

(1) The key center 3 produces the individual user- 
end equipment's secret information 9 from the indi- 
vidual user-end equipment's information 7 with the 
system converter 8, and transmits it to the user-end 
equipment 1 through the private communications 
path 5. 

(2) The user-end equipment 1 keeps the individual 
user-end equipment's information 7 and the individ- 
ual user-end equipment's secret information 9 
received from the key center 3. as the individual 
user-end equipment's information 10 and the indi- 
vidual user-end equipment's secret information 6 
respectively The user-end equipment 1 transmits 
the individual user-end equipment's information 10 
to the system-end equipment 2 through the public 
communications path 4 

(3) The system-end equipment 2 produces the indi- 
vidual user-end equipment's secret informatfon 13 
by making a system-conversion of the received 
individual user-end equipment's information 10 with 



9 



17 



EP0998073A2 



18 



the system converter 12. The individual user-end 
equipment's secret information 13 produced in the 
above step is identical to the Individual user-end 
equ'pmenfs secret information 6 kept in the user- 
end equipment 1 , since the system converter 12 in 5 
the system-end equipment 2 is equivalent to the 
system convener 8 in the key center 3. The system- 
end equipment 2 has a secret key cryptographic 
algorithm, and therefore it is capable of producing 
the individual user-end equipment's secret informa- w 
Won 13 through an execution of system-conversion 
of the individual user-end equipment's information 
10 with a secret key. In this instance, the key center 
3 also has the same secret key cryptographic algo- 
rithm and the same secret key as the system-end 75 
equijpment 2. 

[0069] The individual user-end equipment's secret 
information shared mutually in the above step is utilized 
as a common key for encryption and decryption by the 20 
encryption unit 14 and decryption unit 15 in the user- 
end equipment 1, and the encryption unit 16 and 
decryption unit 1 7 in the system-end equipment 2 in the 
next authentication and key-sharing phase. 

25 

(B) Authentication and key-sharing phase 
[0070] 

(4) The user-end equipment 1 generates the ran- 30 
dom digit 25 in the random digit generator 25, and 
transmits it to the system-end equipment 2 as a 
challenge data. 

(5) The system-end equipment 2 generates the ran- 3S 
dom digit 18 in the random digit generator 18. 

(6) The system-end equipment 2 combines the ran- 
dom digit 18 and the random digit 25 transmitted 
from the user-end equipment 1 in a combiner 23. 40 
The system-end equipment 2 then encrypts the 
combined data in the encryption unit 16 using the 
individual user-end equipment's secret information 

13, and transmits it to the user-end equipment 1 as 
a response to the random digit 25. 45 

(7) The user-end equipment 1 decrypts the 
received encrypted data in the decryption unit 15 
using the individual user-end equipment's secret 
Information 6, and reproduces the random digit 18 so 
and the random digit 25 In the divider 21. 

(8) The user-end equipment 1 produces in a com- 
mon key generator 27 secret information for use in 

a cryptographic communications by combining the ss 
random digit 18 reproduced in the previous step 
and the random digit 20 generated by its own ran- 
dorin digit generator 20. TTiis secret information Is 



named a common key 

(9) The user-end equipment 1 makes a determina- 
tion of the challenge response, at the same time, in 
a matching determination unit 29 by comparing the 
reproduced random digit 25 with another random 
digit 25 generated by its own random digit genera- 
tor 25. The user-end equipment 1 authenticates the 
system-end equipment 2 as legKlmate. If these ran- 
dom digits match. 

(10) The system-end equipment 2 generates a ran- 
dom digit 26 in the random digit generator 26, and 
transmits it to the user-end equipment 1 as a chal- 
lenge data. 

(11) The user-end equipment 1 combines the ran- 
dom digit 20 generated by the random digit genera- 
tor 20 with the random digit 26 transmitted from the 
system-end equipment 2 In the combiner 24. The 
user-end equipment 1 then encrypts the combined 
data in the encryption unit 14 using the indlvkiual 
user-end equipment's secret information 6, and 
transnnits it to the system-end equipment 2 as a 
response to the random digit 26. 

(12) The system-end equipment 2 decrypts the 
received encrypted data in the decryption unit 17 
using the individual user-end equipment's seaet 
information 13. and reproduces the random digit 20 
and the random digit 26 in the divider 22. 

(13) The system-end equipment 2 produces secret 
information for cryptographic communications in a 
common key generator 19. by combining the ran- 
dom digit 20 reproduced in the previous step and 
the random digit 18 generated by its own random 
digit generator 18. This secret information is identi- 
cal to the secret information of the user-end equip- 
ment 1 produced in the step (8), and named a 
common key 

(1 4) At the same time, the system-end equipmort 2 
makes a determination of the challenge response In 
a matching determination unit 28 by comparing the 
reproduced random digit 26 with another random 
digit 26 generated by its own random digit genera- 
tor 26. The system-end equipment 2 thus authenti- 
cates the user-end equipment 1 as legitimate, if 
both random digits match. 

(C) Cryptographic communications phase 

[0071] 

(15) ff the authentications are successfully com- 
pleted in the foregoing authentication and key-shar- 
ing phase, the user-end equipment 1 and the 
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system-end equipment 2 replace the key informa- 
tion in their respective encryption units and decryp- 
tion units with the common key, i.e. the data 
obtained by combining the random digit 20 and the 
random digit 18, which is shared mutually in the 5 
foregoing authentication and key-sharing phase. 

(16) The user-end equipment 1 and the system-end 
equipment 2, both of which share the above-cited 
common key, now start a cryptographic communi- 10 
catfons with each other by their respective encryp- 
tion units and decryption units. 

[0072] The described exemplary embodiment is an 
example, in which each of the system-end equipment 2 15 
and the user-end equipment 1 generates and stores 
own random digit individually, exchanges the random 
digit with each other, and combines the exchanged / 
received random digit with the generated / stored ran- 
dom digit according to the predetermined procedure. 20 
However the system-end equipment 2 and the user-end 
equipment 1 may generate their own random digit indi- 
vidually, and combines the generated random digit with 
own information unique to each of the system-end 
equipment 2 and the user-end equipment 1 according to 2S 
the predetermined procedure. 
[0073] The present exemplary embodiment, as has 
been described, provides the following advantages. 

1 . The system-end equipment 2 is not required to 30 
store individual secret information for each of the 
user-end equipment 1 in a form of database, since 

it can produce the information from the individual 
user-end equipment's information transmitted by 
the user-end equipment 1. 35 

2. The user-end equipment 1 can make authentica- 
tion of the system-end equipment 2, since the sys- 
tem-end equipment 2 is required to have secret 
information, which is assigned only to the legitimate 40 
system-end equipment, in order to reproduce the 
individual secret information of the user-end equip- 
ment 1. 

3. Since the system generates random digits for key 45 
sharing, it can improve security in the public com- 
munications, which carries a large volume of trans- 
mission, and is therefore comparatively liable to 
unauthorized Interception. 

50 

4. Since the system carries out a process of the key 
sharing in parallel with the authentication phase of 
the challenge response, it can reduce a number of 
communications sequences. 

55 

5. Since the system caries out authenticatfon and 
cryptographic communications using random digits 
generate consecutively, it protects the crypto- 



graphic communications from being intercepted, 
since sufficient information is not disclosed even if 
either one of the system-end equipment and the 
user-end equipment is analyzed. 

Second exemplary embodiment 

[0074] Fig. 2 is a diagram depicting an ETC authen- 
tication system and method as an example of a 
scheme, system, and equipment for inter-equipment 
authentication and key delivery of a second exemplary 
embodiment of the present invention. The ETC authen- 
tication system of the present exemplary embodiment 
executes a direct and dynamfo one-way authentication 
(challenge response) of an IC card. 
[0075] In Fig. 2, when an automobile equipped with 
oriboard equipment 120 having an IC card 1 10 inserted 
therein passes by roadside totlbooth equipment (herein- 
after referred to as "roadside equipment") 130, the road- 
side equipment 130 transmits a random digit (RND) 
generated therein as a challenge data to the iC card 
1 10 via the onboard equipment 120. The IC card 1 10 
encrypts the received random digit (RND) in an encryp- 
tion unit 1 1 1 using a legitimate secret key Kicc, and 
stores the encrypted data E (Kicc, RND).in a data stor- 
age unit 112 within the IC card 110. In this exemplary 
embodiment, the roadside equipment 130 and the 
onboard equipment 120 are provided with a wireless, 
infrared, or the like communications device, as well as 
data transmission and reception means for transmitting 
and receiving data with each other. Also, the IC card 
1 10 is provided therein with an antenna unit and an IC. 
so that it is capable of transmitting and receiving data 
with the onboard equipment 120 through magnetic field 
or electrostatic f iekJ. Accordingly, the IC card 110 is able 
to transmit and receive data with the roadside equip- 
ment 130 via the onboard equipment 1 20. 
[0076] The IC card 110 transmits the encrypted 
data E (Kicc, RND) as a response data to the roadskle 
equipment 130 via the onboard equipment 120. Prior to 
the transmission, the IC card 1 10 combines an ID of the 
IC card C1CCID") and a certificate of individual IC card 
key CERT-Kicc with the encrypted data E (Kicc, RND) in 
a combiner 113 of the IC card. 
[0077] The roadside equipment 130 divides the 
received data in a divider 131 into three data in their 
original states before the combination. In other words, 
tiie roadside equipment 130 reproduces the ICCID and 
the CERT-Kicc, at the same time with the response data 
E (Kicc, RND). 

P078] The roadside equipment 130 decrypts the 
certificate of irdividual IC card key CERT-Kicc in a 
decryption unit 132 using a validation key PC in its own 
possession. The roadside equipment 130 is able to 
reproduce the Kicc and the ICCID by dividing the 
decrypted data Kicc ICCID with a divider 133. The road- 
side equipment 130 makes a matching determination of 
tiie ICCID with the other ICCID reproduced by the 
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divider 131, by comparing them in a matching determi- 
nation unit 134. The roadside equipment 130 can thus 
authenticates a signature of the IC card ID (ICGID), if 
they match. Accordingly, the roadside equipment 130 
can authenticate legitimacy of the certificate of individ- s 
ual IC card key CERT-Kicc through the authentication of 
signature, and thereby it can determine the Kicc is legit- 
imate, since they are both reproduced at the same time. 
The divider 131. the decryption unit 132 and the divider 
133 constitute a means for reproducing the secret key io 
peculiar or unique to the IC card from data of the certif- 
icate of individual IC card k^ received from the IC card. 
[0079] The roadside equipment 130 produces a 
random digit RND' by decrypting the response data, i.e. 
encrypted data E(Kicc. RND). in a decryption unit 135 is 
using the reproduced Kicc as a key. The random digit 
RND'. whfch is a response data produced In the decryp- 
tion unit 135, is tentatively referred to as RND', because 
no verification has yet been made as to whether or not 
it matches with the challenge data RND reproduced and 20 
stored in the roadside equipment 130. The roadside 
equipment 130 Is provided with a random digit genera- 
tor / storage unit 138 for generating and storing a ran- 
dom digit RND. 

[0080] The roadside equipment 130 combines in 2s 
the combiner 136 the data RND*. which is a response 
data decrypted in the decryption unit 135. with the 
ICCID divided by the divider 133. The roadside equip- 
ment 130 transmits the combined data ICCID RND' to 
central equipment (i.e. central processing equipment) 30 
140. 

[OQBI] On the other hand, the roadside equipment 
130 combines In a combiner 137 the random digit RND. 
which is a challenge data reproduced and stored in the 
random digit generator / storage unit 138, with the 3S 
ICCID divided by the divider 1 33, and transmits It to the 
central equipment 140 as a data ICCID RND. 
[0(^2] The central equipment 1 40 receives the data 
ICCID RND. reproduces the random digit RND, i.e. the 
challenge data, by dividing It in a divider 1 41 . and stores 40 
it in a data storage unit 142. The central equipment 140 
also reproduces the random digit RND'. or the response 
data, by divkiing the data ICCID RND' In a divider 143. 
The central equipment 140 then make a matching 
determination of the reproducaJ random digit RND' with 45 
the random digit RND, i.e. a stored data 144 stored in 
the data storage unit 142, in a matching determination 
unit 145. 

10€83] The central equipment 140 can authenticate 
that the IC card 1 10 has the legitimate secret key Kicc. so 
if a result of the matching determination is positive 
between the random digit RND, or the challenge data 
having the same ICCID. and the random digit RND', or 
the response data. In this way, the central equipment , 
140 can make a direct authentication of the IC card ID ss 
dynamically and unilaterally. 

[0(^] In addition, and in parallel with the foregoing 
operation, the roadside equipment 1 30 transmits a chal- 



lenge data (I.e. the random digit RND) generated by the 
random digit generator / storage unit 138 in the roadside 
equipment 130 to the onboard equipment 120 at the 
time when the onboard equipment 120 passes by the 
tollbooth. Upon completion of a predetenmined proce- 
dure of the communications (Dedicated Short Range 
Communications, or "DSRC") between the onboard 
equipment 120 and the roadside equipment 130. the 
onboard equipment 120 sends the random digit RND to 
the IC card 110, and the IC card 110 encrypts it into 
data E(Kicc. RND). "The IC card 110 stores the 
encrypted data E(Kicc. RND) In the data storage unit 
1 1 2 as a response data. 

Third exemolarv embodiment 

[0085] Fig. 3 is a diagram depicting an ETC authen- 
tication system and method as an example of a 
scheme, system, and equipment for inter-equipment 
authentication and key delivery of a third exemplary 
embodiment of the present Invention. The ETC authen- 
tication system of the present exemplary embodiment 
executes a direct and dynamic authentication of an IC 
card, in the same manner as the second exemplary 
embodiment, with a combination of roadside tollbooth 
pre-notification equipment (hereinafter referred to as 
"roadside pre-notification equipment") and roadside toll- 
booth equipment ("roadside equipment"). 
[0086] In Fig. 3. when an automobile equipped wit 
onboard equipment 220 having an IC card 210 inserted 
therein passes by roadside pre-notification a^uipment 
240. which is installed before a tollbooth. e.g. 30 m to 
the tollbooth. the IC card 210 transmits an ID (ICCID) 
stored therein to the roadside pre-notification equip- 
ment 240 via the onboard equipment 220. The roadside 
pre-notification equipment 240 is provided with a ran- 
dom digit and time generator / storage unit for generat- 
ing and storing a random digit (RND) and the time of 
day (Time). The roadside pre-notification equipment 
240 produces a data ICCID RND Time by combining the 
ICCID transmitted from the IC card 210 with the random 
digit (RND) and the time of day (Time) generated 
therein, and ti^ansmits It to the IC card 210 and a traffic 
lane equipment (I- e. central processing equipment) 
250. 

[0087] The IC card 210 encrypts the random digit 
(RND) and the time of day (Time) among the received 
data In an encryption unit 21 1 using a legitimate secret 
key Kicc. The encryption into a data E (Kicc. Time RND) 
is carried out while the automobile moves from the road- 
side pre-notif Ication equipment 240 to the tollbooth. The 
IC card 210 transmits the data E (Kicc. Time RND) 
along with the ID (ICCID) of tiie IC card 210 and a cer- 
tificate of individual IC card key CERT-Kicc to roadside 
equipment 230 after combining them together In a com- 
biner 212. 

[0088] The roadside equipment 230 divides the 
transmitted data in a divider 231 into three data, i.e. the 
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E (Kicc, Time RND), the ICCID, and the CERT-Kicc. 
[0(^9] Then, the roadside equipment 230 produces 
a data Kicc ICCID by decrypting the certificate of indi- 
vidual IC card key CERT-Kicc in a decryption unit 232 
using a validation key PC. The roadside equipment 230 5 
reproduces the Kicc and ICCID by dividing the data Kicc 
ICCID in a divider 233. The roadside equipment 230 
then makes a matching determination in a matching 
determination unit 234 by comparing the ICCID with the 
other ICCID reproduced by the divider 231 . The road- io 
side equipment 230 completes the authentication of sig- 
nature of the IC card ID. if they match. Accordingly, the 
roadside equipment 230 can authenticate legitimacy of 
the certificate of individual IC card key CERT-Klcc. and 
thereby it can determine the Kicc is legHimate, since 75 
they are both reproduced at the same time. The road- 
skie equipment 230 produces a data Time RND* by 
decrypting the encrypted data E(Kicc. Time RND) in a 
decryption unit 235 using the Kicc reproduced by the 
divider 233 as a key. The roadside equipment 230 fur- 20 
ther produces the random digit RND' and the time of day 
Time from the produced data Time RND'. The random 
digit produced by the decryption unit 235 is tentatively 
referred to as RND*, because an authentication has not 
as yet been made as to whether or not it matches with 2s 
the random digit RND reproduced In the roadside pre- 
notification equipment 240. 

[0090] The roadside equipment 230 makes a confir- 
mation with a valuation unit 236 by calculating a differ- 
ence in time between the produced time of day (Time) 30 
and time (Time') at which the automobile passes by the 
roadside pre-notification equipment 240. The roadskie 
equipment 230 determines that the automobile has 
taken a legitimate time to pass through between the 
roadside pre-notification equipment 240 and the road- 35 
side equipment 230, if the difference is equal to or less 
than a predetermined time, e.g. "n" minutes. Or, the 
roadside equipment 230 determines that the automo- 
bile has not taken a legitimate time to pass through, i.e. 
an illegitimate passage, if the difference is more than 40 
the predetermined time of "n" minutes, and it hence 
places the IC card ID in a negative list. 
[0091] The roadside equipment 230 confi}ines the 
produced random digit RND' with the afbre-cited ICCID 
reproduced by the divider 233, in a combiner 237. The 45 
roadside equipment 230 transmits the combined data 
ICCID RND' to the traffic lane equipment 250. 
[0092] The traffic lane equipment 250 reproduces 
the RND* by dividing the data ICCID RND' with a divider 
251 . The traffic lane equipment 250 also reproduces in so 
a divider 252 the random digit (RND) by divkitng the 
data ICCID RND Time, which it has received previously 
from the roadside pre-notification equipment 240. The 
traffic lane equipment 250 then makes a matching 
diBtermination in a matching determination unit 253 by 55 
comparing the random digit (RND) and the random digit 
RND'. 

[0093] The traffic lane equipment 250 can verify 



that the random digit RND and the random digit RND\ 
both of which have the same ICCID. are Identical, if a 
result of the matching determination is positive. In the 
manner as described above, the traffic lane equipment 
250 is thus able to make a direct and dynamic authenti- 
cation of the IC card ID, since it can confirm that the IC 
card 210 has the legitimate secret key Kicc. 

Fourth exemplary embodiment 

[0094] Fig. 4 is a diagram depicting an ETC authen- 
tication system and method as an example of a 
scheme, system, and equipment for inter-equipment 
authentication and key delivery of a fourth exemplary 
embodiment of the present invention. The ETC authen- 
tication system of the present exemplary embodiment 
executes a direct and dynamic authentication of an IC 
card, in the same manner as the third exemplary 
embodiment, with a combination of roadside entrance 
tollbooth equipment and roadside exit tolibooth equip- 
ment. 

[0095] In Fig. 4, when onboard equipment 320 hav- 
ing an IC card 310 inserted therein passes under road- 
side entrance tollbooth equipment 340, the IC card 310 
and the roadside entrance tollbooth equ'^ment 340 
exchange data with each other. That is. when the IC 
card 310 transmits an IC card ID (ICCID) to the .roadside 
entrance tollbooth equipment 340, the roadside 
entrance tollbooth equipment 340 generates a random 
digit (RND) and transmits it as a challenge data to the IC 
card 310. 

[0096] At the same time, the roadside entrance toll- 
booth equipment 340 produces a data ICCID RND by 
combining the IC card ID (ICCID) with the random digit 
(RND), and transmits it to central equipment 350. All of 
the above processes are made while the ontx>ard 
equipment 320 passes through the roadskie entrance 
tollbooth equipment 340. 

[0097] After the onboard equipment 320 has 
passed through the roadside entrance tollbooth equip- 
ment 340. and before it reaches to roadskie exit toll- 
booth equipment 330, the IC card 310 encrypts the 
received random digit (RND) in an encryption unit 311 
using a legitimate secret key Kicc, i.e. producing an 
encrypted data E(Kicc, RND). and stores the data. 
P)098] Since the IC card 310 has stored the 
encrypted data, the IC card 310. which is inserted in the 
ontK)ard equipment 320, is able to transmits the 
encrypted data, or E(Kicc, RND), to the roadside exit 
tollbooth equipment 330 when it passes by the roadside 
exit tollbooth equipment 330. 

[0099] The IC card 310 combines the encrypted 
data E(Kicc. RND) together with the IC card ID (ICCID) 
and a certificate of indivkiual IC card key CERT-Kicc in 
a combiner 312. and transmits it to the roadskie exit toll- 
booth equipment 330. 

[0100] The roadside exit tollbooth equipment 330 
receives the combined data, and divides rt into three 
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data. i.e. the E(Kicc. RND). the ICCID). and the CERT- 
Kicc, by a divider 331 . 

[0101] The roadside exit tollbooth equipment 330 
has a validation key PC, so that it can reproduce a data 
Kicc ICCiD by decrypting the certificate of individual IC 5 
card key CERT-Kicc in a decryption unit 332 using the 
validation key PC, and then the Kicc and the ICCID by 
dividing the decrypted data in a divkJer 333. 
[0102] The roadside exit tollbooth equipment 330 
makes a matching determination of the ICCID repro- w 
duced by the divider 333 with the other ICCID repro- 
duced by the divider 331 in a matching determination 
unit 334. The roadside exit tollbooth equipment 330 
completes the authentication of a signature of the iC 
card ID, if they match. That is, if they match, the road- is 
side exit tollbooth equipment 330 can determine that the 
Kicc is legitimate when it can authentrcate legitimacy of 
the certificate of individual IC card key CERT-Kicc, since 
they are both reproduced at the same time. The road- 
side exit tollbooth equipment 330 then produces a ran- 20 
dom digit RND' by decrypting the encrypted data 
E(Kicc, RND) in a decryption unit 335 using the Kicc 
reproduced by the divider 333 as a key The random 
digit produced by the decryption unit 335 is tentatively 
referred to as RND*. because an authentication has not 25 
as yet been made as to whether or not It matches with 
the random digit RND reproduced in the roadside 
entrance tollbooth equipment 340. 
[0103] The roadside exit tollbooth equipment 330 
combines the random digit RND' produced therein with 30 
the ICCID reproduced by the divider 333 in a combiner 
336, and transmits it as a data ICCID RND* to the cen- 
tral equipment 350. 

[0104] The central equipment 350 reproduces the 
random digit RND' by dividing the data ICC ID RND' with 35 
a divider 351. The central equipment 350 has the ran- 
dom digit RND stored therein, since it has reproduced 
the random digit RND by dividing in the divkler 352 the 
data ICCID RND received from the roadside entrance 
tollbooth equipment 340. Thus, the central equipment 40 
350 make a matching determination by comparing the 
reproduced random digit RND' with the stored random 
digit RND in a matching determination unit 353. 
[0105] Accordingly, the central equipment 350 can 
make the matching determination between the random 45 
digit RND and the random digit RND' having the same 
ICCID reproduced at the entrance and the exit. In this 
way, the central equipment 350 is able to make a 
dynamic authentication of the IC card ID, since it can 
confirm that the IC card 310 has the legitimate secret so 
key Kicc. 

[0106] As has been described, the ETC authentica- 
tion system and the method of authentication of this 
exemplary embodiment is able to execute a direct and 
dynamic authentication of the IC card, since it can cen- ss 
tralize random digit data into the central equipment with 
a combination of the roadside equipments provided at 
the entrance tollbooth and the exit tollbooth. 



[0107] AKhough what has been described are the 
systems employing a type of key used in the public key 
crypto-system, i.e. the DES cryptography, as the legiti- 
mate secret key Kicc, the key needs not be restricted to 
a public key, and it can be any other key employed in 
other crypto-systems such as the elliptic curve cryptog- 
raphy, the RAS cryptography, and the like. 
[0108] If such is the case, the system becomes 
capable of making a signature-authentication within a 
short period of time, in which an automobile passes 
through an entrance tollbooth equipped with a dual 
antenna, by adopting an exclusive LSI for the elliptic 
curve cryptography, for example, in the system. 
[0109] According to the present invention, the sys- 
tem-end equipment is not required to store Individual 
secret information for each of the user-end equipment in 
a form of database, since it can reproduce the Individual 
secret information from a key capsule data transmitted 
by the user-end equipment. 

[0110] With the present invention, the user-end 
equipment is able to authenticate the system-end 
equipment, since the system-end equipment is required 
to use a secret information that only the legitimate sys- 
tem-end equipment possesses in order to reproduce 
the individual secret information for the user-end equip- 
ment. 

[0111] Also, the present invention enables the sys- 
tem-end equipment to make authentication for legiti- 
macy of the user-end equipment by using Individual 
user-end equipment's secret information, which can be 
shared without storing the Individual secret information 
for each of the user-end equipment in a form of data- 
base, and a secret key cryptography, thereby enabling 
the system-end equipment to make a cryptographic 
communications. 

[0112] Further, the present invention does not 
require the system-end equipment to store the individ- 
ual secret information for each of the user-end equip- 
ment in a form of database, as it uses information 
shared mutually by exchanging secret information pos- 
sessed individually with the user-end equipment. 
Because of this invention, even if either the system-end 
equipment or the user-end equipment is analyzed, the 
cryptographic communications can not be interpreted 
only with a limited information disclosed by the analysis. 
[0113] According to the present invention, the sys- 
tem-end equipment and the user-end equipment make 
a cryptographic communications by exchanging secret 
information possess^ individually, and combining the 
information to generate new secret informatfon. There- 
fore, even if either the system-end equipment or the 
user-end equipment is analyzed, the cryptographic 
communications can not be interpreted only with a lim- 
ited information disclosed by the analysis. 
[0114] In the present invention, the system-end 
equipment and the user-end equipment generate seaet 
information by enaypting the exchanged and combined 
information with the individual user-end equipment's 
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secret information, and make a cryptographic communi- 
cations using this secret information. Therefore, even if 
communications in both ways between the system-end 
equipment and the user-end equipment is intercepted, 
the encrypted seaet information can not be compre- 5 
hended, and the cryptographic communications can not 
be interpreted only with information disclosed by the 
interception. 

[01 1 5] According to the present invention, the sys- 
tem-end equipment and the user-end equipment gener- 10 
ate their respective random digits individually, exchange 
the information with each other as separate secret infor- 
mation, and mutually share secret information peculiar 
to the system-end equipment and the user-end equip- 
ment by combining the exchanged random digits is 
according to a predetermined procedure, in order to 
make a cryptographic communications. As a result, 
even if the communications in both ways between the 
system-end equipment and the user-end equipment is 
intercepted, and the individual user-end equipment's 20 
secret information is disclosed, the subsequent crypto- 
graphic communications can hardly be interpreted. 
[01 1 6] Also, according to the present invention, the 
system-end equipment and the user-end equipment 
generate their respective random digits individually, 25 
combine own information unique to each of the system- 
end equipment and the user-end equipment to the ran- 
dom digits according to a predetermined procedure, 
generate secret information by encrypting the combined 
information with the individual user-end equipment's so 
secret information, and exchange the encrypted infor- 
mation with each other as individual secret information. 
The system-end equipment and the user-end equip- 
ment then decrypt the combined information using the 
individual user-end equipment's secret information 35 
shared between them by the means described in the 
first exemplary embodiment, break the combination 
according to a predetermined procedure, reproduce the 
random digits exchanged with each other and mutually 
share the reproduced random digits as individual secret 40 
information unique to each of the system-erd equip- 
ment and the user-end equipment in order to make a 
cryptographic communications. With this inventfon. 
even if the communications is intercepted in both ways 
between the system-end equipment and the user-end 45 
equipment, and a replay attack is attempted, a content 
of the cryptographic communications can not be inter- 
preted. 

[0117] Further, according to the present invention, 
the syst«n-end equipment and the user-end equipment so 
generate their respective random digits individually, and 
exchange the random digits with each other. The sys- 
tem-end equipment and the user-end equipment again 
generate new random digits individually, combine these 
random digits together according to a predetermined ss 
procedure, generate secret information by encrypting 
the combined information using the individual user-end 
equipment's secret information, and exchange the 



encrypted information with each other as individual 
secret information. In the same manner as the preced- 
ing paragraph, the system-end equipment and the user- 
end, equipment then decrypt the combined information 
using the individual user-end equipment's secret infor- 
mation shared between them, break the combination 
according to a predetermined procedure, reproduce the 
random digits with each other and mutually share the 
random digits as individual secret information unique to 
each of the system-end equipment and the user-end 
equipment in order to make a cryptographic communi- 
cations. With this invention, even if the communications 
Is intercepted in both ways between the system-end 
equipment and the user-end equipment, a replay attack 
is attempted, and the individual user-end equipment's 
seaet information is disclosed, a content of the crypto- 
graphic communications can hardly be interpreted nev- 
ertheless. 

[01 1 8] Furthermore, the ETC authentication system 
and a method of authenticatfon of the present invention 
enables the roadside equipment to make a direct 
authentication of an IC card ID by way of making the 
roadside equipment to carry out a signature authentica- 
tion for signature information received at the same time 
with the IC card ID, and also the central processing 
equipment to simultaneously make a matching determi- 
nation of challenge data encrypted in the IC card, and 
decrypted by the roadside equipment 
[0119] Still, the ETC authentication system and a 
method of authentication of the present invention 
employs two units of roadside equipment. The ETC 
authentication system and the method thereof enables 
the first roadside equipment to carry out a writing proc- 
ess to an IC card while an automobile travels from the 
first roadside equipment to the second roadside equip- 
ment, the second roadside equipment to make an 
authentication of an IC card ID directly by using data 
(response data) written in the IC card, and also the cen- 
tral processing equipment to make a matching determi- 
nation of challenge data, in order to make direct 
authentication of the IC card ID. 

Reference Numerals 

[0120] 

1 User-end equipment 

2 System-end equipment 

3 Key center 

4, 5 Communications path 

6 Individual user-end equipment's secret informa- 
tion 

7 Individual user-end equipment's information in 
key center 

8 System converter in key center 

"~9 Individual user-end equipment's secret informa- 
tion 

10 Individual user-end equipment's secret informa- 
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tion 

12 System converter in system-end equipment 

13 Individual user-end equipment's secret informa- 
tion in system-end equipment 

14, 16. 111. 211. 311 Encryption unit s 

15. 17, 132, 135, 232. 235. 332. 335 Decryption 
unit 

1 8, 20. 25. 26 Random digit generator 2. 

19, 27 Common key generator 

21, 22, 131. 133, 141, 143.231,233,251,252.331. w 
333, 351. 352 Divider 

23, 24, 113. 136, 137.212,237,312. 336 Ck)mbiner 
28. 29. 134, 145. 234. 253. 334, 353 Matching 
determination unit 

41, 110.210,310. ICcard is 
52 Roadside equipment 

42, 51. 120, 220, 320 On-board equipment 
1 1 2, 1 42 Data storage unit 

130. 230 Roadside tollbooth equipment 

1 38 Random digit generator / storage unit 20 

140, 350 Central equipment (Central processing 

equipment) 

144 Stored data 

236 Validation unit 

240 Roadside tollbooth pre-notification equipment 2S 

(Roadside pre-notiflcation equipment) 

250 Traffic lane equipment (Central processing 3. 

equipment) 

330 Roadside exit tollbooth equipment 

340 Roadside entrance tollbooth equq3ment 30 

Claims 

1. An equipment authentication and cryptographic 
communication system, comprising: user-end 35 
equipment, system-end equipment, and a key 4. 
center for administrating authentication of equip- 
ment in said system, wherein; 

(1 ) said user-end equipment provided with indi- 40 
vidual user-end equipment information issued 

by said key center and individual user-end 
equipment secret information corresponding to 5. 
said irxiividual user-end equipment's informa- 
tion, and said use-end equipment transmits 45 
said individual user-end equipment Information 
to said system-end equipment; 

(2) said system-end equipment receives said 
Individual user-end equipment information from so 
said user-end equipment, reproduces said Indi- 
vidual user-end equipment secret information 

from said received individual user-end equip- 6. 
ment information, and authenticates said user- 
end equipment by confirming that said user- ss 
end equipment legitimately hassaid individual 
user-end equipment secret information by 
using a challenge response utilizing a common 



key ayptographic algorithm; and 

(3) said user-end equipment and said system- 
end equipment execute a cryptographic com- 
munication with each other using said individ- 
ual user-end equipment secret information. 

The equipment authentication and cryptographic 
communication system according to claim 1. 
wherein: 

(1 ) said system-end equipment Is provided with 
system-end equipment secret information, 
which is identical to that possessed by said key 
center, and produces individual user-end 
equipment secret information from said individ- 
ual user-end equipment infbrmatbn using said 
system-end equipment secret information; and 

(2) said user-end equipment authenticates said 
system-end equipment by confirming that said 
system-end equipment has said individual 
user-end equipment secret information by a 
challenge response utilizing said common key 
cryptographic algorithm. 

The equipment authentication and cryptographic 
communication system according to claim 1, 
wherein said system-end equipment is provided 
with a secret-key cryptographic algorithm, and 
reproduces said individual user-end equipment 
secret information by a system conversion of said 
individual user-end equipment information using a 
secret key. 

The equipment authentication and cryptographic 
communication system according to claim 3, 
wherein said system-end equipment and sakJ user- 
end equipment are both provided with common 
secret information shared therebetween by 
exchanging individually held secret information. 

The equipment authentication and cryptographic 
communication system according to claim 4, 
wherein said system-end equipment and said user- 
end equipment (a) exchange with each other indi- 
vidually held secret information, and (b) generate 
new secret information by combining said indivkJu- 
ally held secret Information and said secret informa- 
tion exchanged therebetween according to a 
predetermined procedure. 

The equipment authentication and cryptographic 
communication system according to claim 5, 
wherein said system-end equipment and said user- 
end equipment use sakJ individual user-end equip- 
ment secret Information for encrypting said new 
secret information, which is provided by combining 
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said information and said exchanged information. 

7. The equipment authentication and cryptographic 
communication system according to claim 6. 
wherein said system-end equ'pnent and said user- s 
end equipment (a) individually generate random 
digits, (b) exchange said generated random digits 
with each other, and (c) share the same secret 
information particular to said s/stem-end equip- 
ment and said user-end equipment by combining io 
said generated random digits and said exchanged 
random digits according to a predetermined proce- 
dure. 

8. The equipment authentication and cryptographic is 
communication system according to daim 7. 
wherein said system-end equipment and said user- 
end equipment (a) individually generate random 
digits, (b) combine said random digits with their own 
information particular to each of said system-end 20 
equipment and said user-end equipment according 

to a predetermined procedure, (c) generate 
encrypted data by encrypting the combined infor- 
mation using said individual user-end equipment 
secret information, (d) exchange said encrypted 2s 
data with each other, (e) generate decrypted data 
by decrypting said exchanged encrypted data using 
said individual user-end equipment's secret infor- 
mation, and (f) reproduce each of said mutually 
exchanged random digits by dividing the combina- 30 
tlon of said decrypted data according to a predeter- 
mined procedure. 

9. The equipment authentication and cryptographic 
communication system according to daim 8. 3S 
wherein said system-end equipment and said user- 
end equipment (a) individually generate and store 
random digits, (b) exchange said random digits with 
each other, (c) combine said exchanged random 
digits with said Individually generated and stored 40 
random digits according to a predetermined proce- 
dure, (d) generate encrypted data by encrypting 
said combined information using said individual 
user-end equipment seaet Information, (e) 
exchange said encrypted data with each other, (f) 45 
generate decrypted data by decrypting said 
exchanged encrypted data using said individual 
user-end equipment secret information, and (g) 
reproduce each of said mutually exchanged ran- 
dom digits by dividing the combination of said, so 
decrypted data according to a predetermined pro- 
cedure. 

10. The equipment authentication and cryptographic 
communication system according to daim 9. ss 
wherein said system-end equipment and said user- 
end equipment individually execute matching deter- 
minations by comparing said mutually exchanged 



random digits, which are produced by dividing the 
combination of said decrypted data according to 
tine predetermined procedure, with said individually 
generated and stored random digits. 

11. The equipment authentication and cryptographic 
communication system according to claim 10. 
wherein said system-end equipment and said user- 
end equipment produce and store the same data by 
combining said exchanged and received random 
digits and said individually generated and stored 
random digits according to tiie predetermined pro- 
cedure, and mutually share said data as a common 
key particular to both said system-end equipment 
and said user-end equipment. If said matching 

. determination produces a positive result. 

12. An equipment authentication and cryptographic 
communication system, comprising: user-end 
equipment, system-end equipment, and a key 
center for administrating authentication of equip- 
ment in said system, wherein; 

(1) said key center is provided with a first sys- 
tem converter for generating user-end equip- 
ment secret information from user-end 
equipment information; 

(2) said user-end equipment is provided witii a 
first storage unit for storing said user-end 
equipment Information provided by said key 
center, a second storage unit for storing said 
user-end equipment secret information, a first 
encryption unit, and a first decryption unit; and 

(3) said system-end equipment is provided with 
a second system converter for generating said 
user-end equipment secret infonnation by a 
system conversion of said user-end equipment 
information received from said user-end equip- 
ment, a second encryption unit, and a second 
decryption unit, and 

wherein said user-end equipment and said sys- 
tem-end equipment share and utilize said user- 
end equipment seaet information as a com- 
tnon key for encryption and decryptk^n in sakj 
first encryption unit and said first decryption 
unit in said user-end equipment, and said sec- 
ond encryption unit and said second decryption 
unit in said systenvend equipment. 

13. The equipment authentication and cryptographic 
communication system according to claim 12, 
wherein: 

(1) said user-end equipment further comprises 
a first random digit generator for generating a 
random digit, a second random digit generator 
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for generating a random digit, a first combiner 
for combining a pair of random digit data 
according to a predetermined procedure, a first 
divider for dividing a combined pair of random 
digit data to reproduce original random digits 5 
prior to combining, a first common key genera- 
tor for combining a pair of random digit data 
according to a predetermined procedure, and a 
first matcliing determination unit for determin- 
ing if two random digit data match each other; w 
and 

(2) said system-end equipment further com- 
prises a third random digit generator for gener- 
ating a random digit, a fourth random digit is 
generator for generating another random digit, 
a second combiner for combining a pair of ran- 
dom digit data according to a predetermined 
procedure, a second divider for dividing a com- 
bined pair of random digit data to reproduce 20 
original random digits prior to combining, a 
second common key generator for combining a 
pair of random digit data according to a prede- 
termined procedure, and a second matching 
determination unit for determining if two ran- 2s 
dom digit data match each other. 

14. A method of equipment authentication and crypto- 
graphic communication for an equipment authenti- 
cation and cryptographic communication system 30 
including user-end equipment, system-end equip- 
ment, and a key center for administrating authenti- 
cation of equipment in said system, sakJ method 
comprising the steps of: 

35 

(1) generating user-end equipment secret 
information from user-end equipment informa- 
tion in said key center; 

(2) receiving said user-end equipment informa- 40 
tion and said user-end equipment secret infor- 
mation in said user-end equipment from said 
key center; 

(3) receiving said user-end equipment informa- 4s 
tion from said user-end equipment, and gener- 
ating said user-end equipment secret 
information from said user-end equipment 
information received in said system-end equip- 
ment; and so 

(4) using said user-end equipment secret infor- 
mation as a common key for encryption and 
decryption in both of said user-end equipment 

. and said system-end equipment. ss 

15. The method of equipment authentication and cryp- 
tographic communication according to claim 14 fur- 



ther comprising the steps of: 

(1) generating a first random digit in said user- 
end equipment, and transmitting said first ran- 
dom digit to said system-end equipment; 

(2) generating a second random digit In said 
system-end equipment, combining said second 
random digit and said first random digit 
received from said user-end equipment, 
encrypting combined data of said second ran- 
dom digit and said first random digit using said 
common key, and transmitting said encrypted 
data to said user-end equipment; 

. (3) decrypting said encrypted data received in 
said user-end equipment using said common 
key. and reproducing said first random digit and 
said second random digit by dividing decrypted 
data of said encrypted data received in said 
user-end equipment; 

(4) determining In said user-end equipment if 
said first random digit reproduced in the pre- 
ceding decryption step matches with another 
first random digit generated therein; 

(5) generating a third random digit in saki user- 
end equipment, combining said third random 
digit and said second random digit reproduced 
In the decryption step, encrypting combined 
data of said third random digit and said second 
random digit using said common key, and 
transmitting encrypted data of said combined 
data to said system-end equipment; 

(6) generating a fourth random digit in said sys- 
tem-end equipment, and transmitting said 
fourth random digit to said user-end equip- 
ment; 

(7) combining said fourth random digit received 
in said user-end equipment from said system- 
end equipment arKi said third random digit gen- 
erated therein, encrypting combined data of 
said fourth random digit and said third random 
digit using said common key, and transmitting 
encrypted data of said combine data to said 
system-end equipment; 

(8) decrypting said encrypted data received in 
said system-end equipment using said com- 
mon key, and reproducing said third random 
digit and said fourth random digit by divkling 
decrypted data of said encrypted data received 
in said system-end equipment; and 

(9) determining in said system-end equipment 
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if said fourth random digit reproduced in the 
preceding decryption step matches with 
another fourth random digit generated therein. 

16. The method of equipment authentication and cryp- s 
tographic communication according to claim 1 5 fur- 
ther conprising the steps of: 

producing data in said system-end equipment 
for use as a common key for cryptographic io 
communication by combining said second ran- 
dom digit generated therein with said third ran- 
dom digit reproduced by decryption; and 

producing data in said user-end equipment for is 
use as a common key for cryptographic com- 
nnunication by combining said third random 
digit generated therein and said second ran- 
dom digit reproduced by decryption. 

20 

17. A cryptographic communication system compris- 
ing: an IC card, authentication equipment for 
authenticating said IC card, and intermediary 
equipment between said IC card and said authenti- 
cation equipment wherein; 25 

(1) said IC card includes a first storage unit for 
storing a secret key particular to said IC card, a 
second storage unit tor storing a certificate of 
individual IC card key data for generating said 3o 
secret key, a third storage unit for storing an IC 
card ID data, and an encryption unit for gener- 
ating an encrypted data representing response 
data by encrypting challenge data received 
from said authentication equipment using said 35 
secret key; and 

(2) sakJ authentication equipment includes a 
means for producing said secret key particular 

to said IC card from said certificate of individual 40 
IC card key data received, a first decryption 
unit for reprodudng said response data by 
decrypting said encrypted data received from 
said iC card using said produced secret key, 
and a first matching determination unit for 45 
determining if reproduced response data 
matches said challenge data transmitt^ by 
said authentication equipment. 

18. The cryptographic communication system accord- so 
ing to claim 17 wherein: 

(1) said IC card further includes a receiver for 
receiving said challenge data generated by 
said authentication equipment and transmitted ss 
via said intermediary equipment, and a 
response data transmitter for transmitting said 
encrypted data representing response data. 



said IC card ID data, and sakJ certificate of indi- 
vidual IC card key data to said authentication 
equipment via said intermediary equipment; 

(2) said means for producing said secret key in 
said authentication equipment includes a stor- 
age unit for storing a validation key, a second 
decryption unit for producing an IC card ID and 
a secret key by decrypting said certificate of 
individual IC card key data received from said 
IC card, using said validation key; and 

(3) said authentication equipment furttier 
includes a challenge data generator / storage 
unit for generating and storing said challenge 
data, and a second matching determination 
unit for determining if said response data 
decrypted by said first decryption unit matches 
with said challenge data stored in said chal- 
lenge data generator / storage unit. 

19. The cryptographic communication system accord- 
ing to daim 18 wherein: 

(1) said IC card further includes a combiner for 
generating combined data by combining said 
IC card ID data, said certificate of individual IC 
card key data, and said encrypted data, and 
transmitting said combined data to said 
authentication equipment; and 

(2) said authentication equipment furtiier 
includes a first divider for dividing said com- 
bined data received from said iC card into said 
IC card ID data. sakJ certificate of individual IC 
card key data, and said encrypted data, and a 
second divider for dividing data decrypted by 
said second decryption unit into said IC card ID 
and said secret key. 

20. The cryptographic communication system accord- 
ing to claim 19 wherein said authentication equip- 
ment further includes a first combiner for combining 
said challenge data stored in said challenge data 
generator / storage unit and said IC card ID data 
produced by said second divider, a tiiird divider for 
producing said challenge data from data combined 
by said first combiner, a second combiner for com- 
bining said response data decrypted by said first 
decryption unit and said IC card ID data produced 
by said second divider, and a fourth divider for pro- 
ducing said response data from data combined by 
said second combiner. 

21. An electronic toll collection ("ETC") authentication 
system includingan IC card, roadside equipment, 
and central processing equipment comprising: 
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(1) said IC card including an encryption means 
for receiving a challenge data generated by 
roadside equipment, as said IC card passes 
said roadside equipment, and for encrypting 
said challenge data using a secret key; an 5 
encrypted data storage means for storing data 

" encrypted by said encryption means; a 
response data transmission means for trans- 
mitting IC card ID data and a certificate of Indi- 
vidual IC card key. together with said encrypted w 
data stored in said encrypted data storage 
mean^ as response data to said roadside 
equipment; 

(2) said roadside equipment including a divid- is 
Ing means for dividing said transmitted 
response data; a second decryption means for 
decrypting said certificate of individual IC card 
key data divided by said dividing means, using 

a validation key; a first matching determination 20 
means for making a matching determination of 
said IC card ID produced as a result of decryp- 
tion with ahother iC card ID provided by said 
dividing means; a first decryption means for 
producing response data by decrypting an 2S 
enaypted data provided by said dividing 
means; and a challenge data transmission 
means lor transmitting said challenge data to 
said IC card; and 

(3) said central processing equipment including 
challenge data storage means for storing said 
challenge data generated by said roadside 
equipment; and a second matching determina- 
tion means for receiving said response data 35 
decrypted by said first decryption means, and 
executing a matching determination of said 
response data with said challenge data stored 

in said challenge data storage means, 
said ETC authentication system providing 40 
authentication of said IC card ID by said road- 
side equipment by authenticating signature 
information received with said IC card ID. and 
said central processing equipment providing a 
matching determination of said response data 4s 
encrypted by said IC card and decrypted by 
said roadside equipment. 

22. An electronic toll collection ("ETC") authentication 
method comprising the steps of: so 

(1) encrypting challenge data using a secret 
key in an IC card, said challenge data being 
generated by roadside equipment and trans- 
mitted to said IC card when said IC card ss 
passes by said roadside^uipment; 

(2) storing said enaypted data; 



(3) transmitting an IC card ID data and a certif- 
icate of individual IC card key data, in addition 
to said stored encrypted data, as response 
data to said roadside equipment; 

(4) dividing said response data received by 
said roadside equipment; 

(5) decrypting said certificate of individual IC 
card key data, provided by the dividing step, 
using a validation key; 

(6) carrying out a matching determination of an 
IC card ID provided in the decrypting step with 
another IC card ID provided in the dividing 

. step; 

(7) providing a response data by decrypting 
said encrypted data provided in the dividing 
step; and 

(8) carrying out in said central processing 
equipment a matching determination of said 
response data decrypted by said roadside 
equipment with said challenge data. 

said ETC authentication method providing 
authentication of said IC card ID by said road- 
side equipment by authenticating signature 
information received with said tC card ID. and 
said central processing equipment providing a 
matching determination of said response data 
encrypted by said IC card and decrypted by 
said roadside equipment. 

23. An electronic toll collection ("ETC") authentication 
system comprising: 

(1) first roadside equipment including chal- 
lenge data and time generator / storage means 
for generating and storing challenge data and 
time information, and transmitting said chal- 
lenge data and time information to an IC card; 

(2) said IC card including an ID transmission 
means for transmitting an IC card ID before 
said IC card passes said first roadside equip- 
ment; an encryption means for receiving said 
challenge data and said time information gen- 
erated by said first roadside equipment, as said 
IC card passes said first roadside equipment, 
and encrypting received data using a secret 
key; a response data transmission means for 
transmitting an iC card ID data and a certificate 
of Individual IC card key data, together with 
said encrypted data as a response data to a 
second roadside equipment; 

(3) said second roadside equipment including a 
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first dividing means for dividing said response 
data; a second decryption means for decrypt- 
ing said certificate of individual IC card key 
data divided by said first dividing means, using 
a validation key; a first matching determination 5 
means for providing a matching determination 
of an IC card ID produced as a result of decryp- 
tion with another IC card ID provided by said 
first dividing means; and a first decryption 
means for producing a response data by 10 
decrypting an encrypted data obtained from 
said first dividing means; and 

(4) central processing equipment including a 
second dividing means for dividing said chal- is 
lenge data and said IC card ID generated by 
said first roadside equipment; a third dividing 
means for dividing said response data and said 
IC card ID decrypted by said second roadside 
equipment; and a second matching determina- 20 
tion means for making a matching determina- 
tion of said challenge data obtained by said 
second dividing means and said response data 
provided by said third dividing means, 
said ETC authentication system providing 2s 
authentication of said IC card ID by said sec- 
ond roadside equipment by authenticating sig- 
nature information received with said IC card 
ID, and said c^tral processing equipment pro- 
viding the matching determination of said 30 
response data encrypted by said IC card and 
decrypted by said second roadside equipment. 

24. The ETC authentication system according to claim 
23. wherein said second roadside equipment fur- 35 
ther comprises another decryption means for 
decrypting said encrypted data provided by said 
first dividing means, using a secret key reproduced 
by said second decryption means; and a validation 
means for providing time information, at which said 40 
IC card passed said first roadside equipment, from 
a decrypted result of said another decryption 
means, and for confirming if a difference between 
said time information and present time is within a 
predetermined time period. 45 

25- An electronic toll collection ("ETCT authentication 
method comprising the steps of: 

(1) receiving a card ID from an IC card before so 
said IC card passes first roadside equipment; 

(2) enaypting challenge data and tfme infor- 
mation using a secret key, said challenge data 

. and time information being generated by first ss 
roadside equipment and transmitted to said IC 
card when said IC card passes said first road- 
side equipment; 



(3) transn^ng IC card ID data and a certificate 
of individual IC card key data. In addition to 
said encrypted data, as a response data to 
second roadside equipment; 

(4) dividing said transmitted response data in 
said second roadside equipment; 

(5) decrypting said certificate of individual IC 
card key data provided in the dividing step 
using a validation key; 

(6) carrying out a matching determination of an 
IC card ID provided in the decryption step wit 
another IC card ID provided in the dividing 
step; 

(7) providing a response data by decrypting 
said encrypted data provided in the dividing 
step; 

(8) carrying out in central processing equip- 
ment a matching determination of said chal- 
lenge data provided from said first roadside 
equipment and said response data decrypted 
in said second roadside equipment. 

said ETC authentication method providing 
authentication of said IC card ID by said sec- 
ond roadside equipment by authenticating sig- 
nature Information received with said iC card 
ID. and said central processing equipment pro- 
viding the matching determination of said 
response data encrypted by said IC card and 
decrypted by said second roadside equipment. 

26. The ETC authentication method according to dalm 
25 further comprising the steps of: 

(1) decrypting said encrypted data provided by 
the dividing step, using a secret key repro- 
duced in said decryption step; and 

(2) providing time information, at which said IC 
card passed said first roadside equipment, as a 
result of the decryption step, and confirming if a 
difference between said time information and 
present time is within a predetermined time. 

27. An electronic toll collection ("ETC") authentication 
system comprising: 

(1) a fast roadside equipment including a chal- 
lenge data generation means for generating a 
challenge data, and transmitting said challenge 
data to an ICcard; _. 

(2) said IC card including an ID transmission 
means for transmitting an IC card ID before 
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said (C card passes said first roadside equip- 
ment; an encryption means for receiving said 
challenge data generated by said fast roadside 
equipment, as said IC card passes said fast 
roadside equipment, and encrypting said chat- 5 
lenge data using a secret key; and a response 
data transmission means for transmitting an IC 
card ID data and a certificate of individual IC 
card key data, together with said encrypted 
data as response data to second roadside w 
equipment; 

(3) said second roadside equipment including a 
first dividing means for dividing said response 
data; a decryption means for decrypting said is 
certificate of individual IC card key data divided 

by said fast dividing means, using a validation 
key; a fast matching determination means for 
providing a matching determination of said IC 
card ID produced as a result of decryption with 20 
another IC card ID provided by said fast divid- 
ing means; and a fast decryption means for 
decrypting an encrypted data provided by said 
fast dividing means to obtain response data; 

25 

(4) central processing equipment including a 
second dividing means for dividing said chal- 
lenge data and said IC card ID generated in 
said fast roadside equipment; a third dividing 
means for dividing said response data 30 
decrypted in said second roadside equipment 
and said IC card ID; and a second matching 
determination means for providing a matching 
determination of said challenge data obtained 

in said second dividing means and said 3S 
response data obtained in said third dividing 
means, 

said ETC authentication system providing 
authentication of said IC card ID by said sec- 
ond roadside equipment by authenticating sig- 40 
nature information received with said IC card 
ID. and said central processing equipment pro- 
viding the matching determination of said 
response data encrypted by said IC card and 
decrypted by said second roadside equipment. 4S 

28. An electronic toll collection ("ETC") authentication 
method conprising the steps of: 

(1) receiving a card ID from an IC card before so 
said IC card passes by first roadside equip- 
ment; 

(2) encrypting a challenge data using a secret 
key. said challenge data being generated by ss 
said first roadside equipment and transmitted 

to said IC card when said IC card passes said 
first roadside equipment; 



(3) transmitting each individual data of said IC 
card ID and a certificate of individual IC card 
key, in addition to said challenge data 
encrypted in the encryption step, as response 
data to second roadside equipment; 

(4) dividng said response data transmitted in 
the transmission stepby said second roadside 
equipment; 

(5) decrypting said certificate of individual tC 
card l^y data divided in the dividing step, using 
a validation key; 

(6) carrying out a matching determination of 
said IC card ID produced as a result of decryp- 
tion with another IC card ID provided by the 
dividing step; 

(7) producing a response data by decrypting 
said encrypted data provided by the dividing 
step; and 

(8) executing in centra! processing equipment a 
matching determination of said challenge data 
provided by said first roadside equipment and 
said r^onse data decrypted by said second 
roadside equipment, 

said ETC authentication method providing 
authentication of said IC card ID by said sec- 
ond roadside equipment by authenticating sig- 
nature information received said IC card ID, 
and said central processing equipment provid- 
ing the matching determination of said 
response data encrypted by said IC card and 
decrypted by said second roadside equipment. 
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